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AMENDMENTS TO CLAIMS 

1 . (Currently amended) A method of selectively enforcing a security policy in a network, 
the method comprising the computer-implemented steps of: 

receiving information defining one or more group lists, resource definitions, and 

definitions of users as members of one or more groups in the group lists, wherein 
the definitions include network addresses for the users, wherein the network 
addresses have been assigned by an address server; 

creating and storing one or more access controls in a policy enforcement point device that 
controls access of clients to the network, wherein each of the access controls 
specifies that a named abstract group is allowed access to a particular resource; 

receiving, from an external binding process separate from the address server , a binding of 
a network address to an authenticated user of one of the clients for which the 
policy enforcement point controls access to the network; 

updating the named group to include the bound network address of the authenticated user 
at the policy enforcement point; and 

permitting a packet flow originating from the network address to pass from the policy 
enforcement point into the network only if the network address is in the named 
group identified in one of the access controls that specifies that the named group 
is allowed access to the network. 

2. (Original) A method as recited in Claim 1 , wherein the steps of creating and storing 
one or more access controls in a policy enforcement point that controls access to the 
network comprise the steps of: 

creating and storing one or more definitions of groups in a data store; 

creating and storing one or more definitions of resources within a data store; 

creating and storing one or more access controls at the policy enforcement point, wherein 
each of the access controls specifies that a named group is allowed access to a 
particular resource, and wherein one of the access controls specifies that all other 
traffic is denied access to the network. 
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3. (Original) A method as recited in Claim 1, further comprising the steps of 
distributing the network address of the authenticated user and information identifying one 
or more groups of which the authenticated user is a member to all policy enforcement 
points of a protected network that the user seeks to access. 

4. (Original) A method as recited in Claim 1, further comprising the steps of 
distributing the network address of the authenticated user and information identifying one 
or more groups of which the authenticated user is a member to all policy enforcement 
points that define a security zone that encompasses the user. 

5. (Original) A method as recited in Claim 1, wherein the steps of receiving a binding 
of a network address to an authenticated user of a client for which the policy enforcement 
point controls access to the network comprises the steps of receiving an Internet Protocol 
(IP) address for the user from a network address binding resolution (NABR) process. 

6. (Original) A method as recited in Claim 1, further comprising the steps of 
determining that the user has discontinued use of the client, and deleting the network 
address to which the user is bound from each named group of each policy enforcement 
point of the network. 

7. -12. (Canceled) 

13. (Currently amended) A computer-readable medium carrying one or more sequences of 
instructions for selectively enforcing a security policy in a network, which instructions, 
when executed by one or more processors, cause the one or more processors to carry out 
the steps of: 

receiving information defining one or more group lists, resource definitions, and 

definitions of users as members of one or more groups in the group lists, wherein 
the definitions include network addresses for the users, wherein the network 
addresses have been assigned by an address server; 
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creating and storing one or more access controls in a policy enforcement point device that 
controls access of clients to the network, wherein each of the access controls 
specifies that a named abstract group is allowed access to a particular resource; 

receivin g, from an external binding process separate from the address server, a binding of 
a network address to an authenticated user of one of the clients for which the 
policy enforcement point controls access to the network; 

updating the named group to include the bound network address of the authenticated user 
at the policy enforcement point; and 

permitting a packet flow originating from the network address to pass from the policy 
enforcement point into the network only if the network address is in the named 
group identified in one of the access controls that specifies that the named group 
is allowed access to the network. 

14. (Original) A computer-readable medium as recited in Claim 13, wherein the 
instructions for carrying out the steps of creating and storing one or more access controls 
in a policy enforcement point that controls access to the network comprise instructions 
for carrying out the steps of: 

creating and storing one or more definitions of groups in a data store; 

creating and storing one or more definitions of resources within a data store; 

creating and storing one or more access controls at the policy enforcement point, wherein 
each of the access controls specifies that a named group is allowed access to a 
particular resource, and wherein one of the access controls specifies that all other 
traffic is denied access to the network. 

15. (Original) A computer-readable medium as recited in Claim 13, further comprising 
instructions which, when executed by the one or more processors, cause the one or more 
processors to carry out the steps of distributing the network address of the authenticated 
user and information identifying one or more groups of which the authenticated user is a 
member to all policy enforcement points of a protected network that the user seeks to 
access. 



Attorney Docket No.: 50325-0517 



4 



LEAR, Ser. No. 09/767,284, GAU 2135, Examiner P. Klimach 

REPLY TO OFFICE ACTION 



16. (Original) A computer-readable medium as recited in Claim 13, further comprising 
instructions which, when executed by the one or more processors, cause the one or more 
processors to carry out the steps of distributing the network address of the authenticated 
user and information identifying one or more groups of which the authenticated user is a 
member to all policy enforcement points that define a security zone that encompasses the 
user. 

17. (Original) A computer-readable medium as recited in Claim 13, wherein the 
instructions for carrying out the steps of receiving a binding of a network address to an 
authenticated user of a client for which the policy enforcement point controls access to 
the network comprise instructions for carrying out the steps of performing network 
address binding resolution for the user. 

18. (Original) A computer-readable medium as recited in Claim 13, further comprising 
instructions which, when executed by the one or more processors, cause the one or more 
processors to carry out the steps of determining that the user has discontinued use of the 
client, and deleting the network address to which the user is bound from each named 
group of each policy enforcement point of the network. 

1 9. (Currently amended) An apparatus for selectively enforcing a security policy in a 
network, comprising: 

means for receiving information defining one or more group lists, resource definitions, 
and definitions of users as members of one or more groups in the group lists, 
wherein the definitions include network addresses for the users, wherein the 
network addresses have been assigned by an address server; 

means for creating and storing one or more access controls in a policy enforcement point 
device that controls access of clients to the network, wherein each of the access 
controls specifies that a named abstract group is allowed access to a particular 
resource; 
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means for receiving , from an external binding process separate from the address server , a 
binding of a network address to an authenticated user of one of the clients for 
which the policy enforcement point controls access to the network; 

means for updating the named group to include the bound network address of the 
authenticated user at the policy enforcement point; and 

means for permitting a packet flow originating from the network address to pass from the 
policy enforcement point into the network only if the network address is in the 
named group identified in one of the access controls that specifies that the named 
group is allowed access to the network. 

(Currently amended) An apparatus for selectively enforcing a security policy in a 
network, comprising: 

a network interface that is coupled to the data network for receiving one or more packet 

flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the processor, 
cause the processor to carry out the steps of: 

receiving information defining one or more group lists, resource definitions, and 
definitions of users as members of one or more groups in the group lists, 
wherein the definitions include network addresses for the users, wherein 
the network addresses have been assigned by an address server; 
creating and storing one or more access controls in a policy enforcement point 
device that controls access of clients to the network, wherein each of the 
access controls specifies that a named abstract group is allowed access to a 
particular resource; 

receivin g, from an external binding process separate from the address server, a 

binding of a network address to an authenticated user of one of the clients 
for which the policy enforcement point controls access to the network; 
updating the named group to include the bound network address of the 

authenticated user at the policy enforcement point; and 
permitting a packet flow originating from the network address to pass from the 

policy enforcement point into the network only if the network address is in 
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the named group identified in one of the access controls that specifies that 
the named group is allowed access to the network. 

21 . (Original) A method as recited in Claim 1, wherein the steps of receiving a binding 
of a network address to an authenticated user of a client for which the policy enforcement 
point controls access to the network comprises the steps of receiving an Internet Protocol 
(EP) address for the user from an ASAP protocol process. 

22. (Original) A method as recited in Claim 1, wherein the steps of receiving a binding 
of a network address to an authenticated user of a client for which the policy enforcement 
point controls access to the network comprises the steps of receiving an Internet Protocol 
(IP) address for the user from a DNS process. 

23. (Currently amended) A method of selectively enforcing a security policy in a network, 
the method comprising the computer-implemented steps of: 

receiving information defining one or more group lists, resource definitions, and 

definitions of users as members of one or more groups in the group lists, wherein 
the definitions include network addresses for the users, wherein the network 
addresses have been assigned by an address server; 

creating and storing one or more access control list entries in a network router that acts as 
a policy enforcement point device and that controls access of clients to the 
network, wherein each of the access control list entries specifies that a named 
group of users is allowed or refused access to a particular network resource; 

creating and storing one or more definitions of the named groups in a data store that is 
accessible by the network router; 

receiving, from an external process that can bind a user to a specific network address and 
that is separate from the address server , a binding of a network address to an 
authenticated user of one of the clients for which the router controls access to the 
network; 

updating the named group to include the bound network address of the authenticated user 
at the policy enforcement point; and 
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permitting a packet flow originating from the bound network address to pass from the 

policy enforcement point into the network only if the bound network address is in 
the named group identified in one of the access control list entries that specifies 
that the named group is allowed access to the network. 

24. (Currently amended) A method of selectively enforcing a security policy in a network, 

the method comprising the computer-implemented steps of: 

receiving information defining one or more group lists, resource definitions, and 

definitions of users as members of one or more groups in the group lists, wherein 
the definitions include network addresses for the users, wherein the network 
addresses have been assigned by an address server; 

creating and storing one or more access control list entries in a network router that acts as 
a policy enforcement point device and that controls access of clients to the 
network, wherein each of the access control list entries specifies that a named 
group of users is allowed or refused access to a particular network resource; 

creating and storing one or more definitions of the named groups in a data store that is 
accessible by the network router; 

receiving, from an external process that can bind a user to a specific network address and 
that is separate from the address server , a binding of a network address to an 
authenticated user of one of the clients for which the router controls access to the 
network; 

updating the named group to include the bound network address of the authenticated user 
at the policy enforcement point; 

permitting a packet flow originating from the bound network address to pass from the 

policy enforcement point into the network only if the bound network address is in 
the named group identified in one of the access control list entries that specifies 
that the named group is allowed access to the network; and 

distributing the network address of the authenticated user and information identifying one 
or more groups of which the authenticated user is a member to all policy 
enforcement points that define a security zone that encompasses the user; 
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determining that the user has discontinued use of the client, and deleting the network 
address to which the user is bound from each named group of each policy 
enforcement point of the network. 
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